samba - Aug 2022 - samba ad-dc 4.13.13 PAC_TYPE_REQUESTER_SID missing

On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba
wrote:
> Hello,
> 
> Recently we added new DC to existing samba domain. It was supposed to
> be 
> start of the process of migrating our centos-7 based AD-DC to
> Debian.  
> Samba was installed from default repo (samba-ad-dc), it's version 
> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x 
> 4.11.4 and one new 4.13.13
> 
> Everything seems to working fine with the new DC except for this 
> error/warning that occasionally pops up:
> 
> samba[15490]: [2022/08/16 16:07:18.885749,  1] 
> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
> 
> It's mostly corresponding to a java 1.8 application that is using 
> kerberos (keytab) to re-authenticate to a database. It's not that
> java 
> is unable to authenticate, just every few or so minutes (let's say 
> 20-ish) I see this error, but not every time. We've had the setup 
> running for last 4 years and it's the first time I see issue.
> 
> I would be glad for some pointers, I'm not sure what exactly does
> this 
> error/warning mean and what's causing it? Obviously it's related to
> kerberos. On my other 2 DC's I've never seen this and googling
> doesn't 
> help me much either.
> 
> I read that in 4.13.14 there was a security change that seems
> related, 
> but I don't "get" why it mostly works only sometimes I see
this
> warning/error.
That error will be coming from your new DC (it is the only one that
will have that piece of code), but whatever is causing it will not be
using the new DC exclusively, it will use any of the DC's in a round
robin fashion.

I suggest you read this:
https://www.samba.org/samba/security/CVE-2020-25719.html

Rowland

Thank You,

So, I suppose, the issue is that a client can still obtain ticket from 
one of the older DC's without PAC and when presenting to new DC, error 
appears? If that's so, then simply upgrading all DC's to min. 4.13.14 or
higher should "fix" it, right?

Regards,

Kacper Wirski

W dniu 16.08.2022 o?20:09, Rowland Penny via samba
pisze:
> On Tue, 2022-08-16 at 16:52 +0200, Kacper Wirski via samba wrote:
>> Hello,
>>
>> Recently we added new DC to existing samba domain. It was supposed to
>> be
>> start of the process of migrating our centos-7 based AD-DC to
>> Debian.
>> Samba was installed from default repo (samba-ad-dc), it's version
>> 4.13.13, centos (previous) was on 4.11.4. So right now we have 2 x
>> 4.11.4 and one new 4.13.13
>>
>> Everything seems to working fine with the new DC except for this
>> error/warning that occasionally pops up:
>>
>> samba[15490]: [2022/08/16 16:07:18.885749,  1]
>> ../../source4/kdc/wdc-samba4.c:463(samba_wdc_reget_pac2)
>> samba[15490]:   PAC_TYPE_REQUESTER_SID missing
>>
>> It's mostly corresponding to a java 1.8 application that is using
>> kerberos (keytab) to re-authenticate to a database. It's not that
>> java
>> is unable to authenticate, just every few or so minutes (let's say
>> 20-ish) I see this error, but not every time. We've had the setup
>> running for last 4 years and it's the first time I see issue.
>>
>> I would be glad for some pointers, I'm not sure what exactly does
>> this
>> error/warning mean and what's causing it? Obviously it's
related to
>> kerberos. On my other 2 DC's I've never seen this and googling
>> doesn't
>> help me much either.
>>
>> I read that in 4.13.14 there was a security change that seems
>> related,
>> but I don't "get" why it mostly works only sometimes I
see this
>> warning/error.
> That error will be coming from your new DC (it is the only one that
> will have that piece of code), but whatever is causing it will not be
> using the new DC exclusively, it will use any of the DC's in a round
> robin fashion.
>
> I suggest you read this:
> https://www.samba.org/samba/security/CVE-2020-25719.html
>
> Rowland
>
>
>
-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com